PT-2025-50292 · Mastodon · Mastodon
Sugar700
·
Published
2025-12-09
·
Updated
2025-12-11
·
CVE-2025-67500
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mastodon versions 4.2.27 and prior
Mastodon versions 4.3.0-beta.1 through 4.3.14
Mastodon versions 4.4.0-beta.1 through 4.4.9
Mastodon versions 4.5.0-beta.1 through 4.5.2
Description
Mastodon, a free and open-source social network server based on ActivityPub, contains discrepancies in error handling. An attacker with knowledge of a status identifier, even if unauthorized to view it, can determine the status's existence by sending a request with a non-English
Accept-Language header. This does not allow access to the status content or any other properties beyond its existence.Recommendations
Update to Mastodon version 4.2.28 or later.
Update to Mastodon version 4.3.15 or later.
Update to Mastodon version 4.4.10 or later.
Update to Mastodon version 4.5.3 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mastodon